Re: httpd-guardian errors not in error_log?
2007-04-01 04:31:34 GMT
Thanks, I guess I knew I could append the output to any file I liked in this fashion. I suppose my question was more of a "why?" than a "how?" ;)
Perhaps a note should be made here?
Or within the comments of httpd-guardian itself, which seem to indicate this isn't a necessary step.
Either way, it's not a big deal. Thanks for mod_security, it's been working great for us!
-Miles
Miles,
Just change the location of your open command to point to your Apache error_log like this –
open STDERR, ">>/path/to/apache/logs/error_log";
Now, once httpd-guardian takes action, you will see entries like this in your error_log file –
httpd-guardian: IP address HASH(0x92e08d0) reached the 1 min threshold (speed = 2.76712328767123 req/sec, threshold = 0.01 req/sec)
httpd-guardian: Executing: /usr/bin/logger DoS Attack Identified from 127.0.0.1
The 2nd line above is from my own "test" configuration where I am just using logger to create a Syslog alert and not actually blackholing the client on the firewall.
# If defined, execute this command when a threshold is reached
# block the IP address for one hour.
# $PROTECT_EXEC = "/sbin/blacklist block %s 3600";
# $PROTECT_EXEC = "/sbin/samtool -block -ip %s -dur 3600 snortsam.example.com";
my $PROTECT_EXEC;
# For testing only:
# $PROTECT_EXEC = "/sbin/blacklist-webclient %s 3600";
$PROTECT_EXEC = "/usr/bin/logger DoS Attack Identified from %s";
The point is that a message will be generated when httpd-guardian identifies a client that has gone over your defined threshold of requests/time interval and when it executes a responsive action.
Hope this helps.
--
Ryan C. Barnett
ModSecurity Community ManagerBreach Security: Director of Application Security Training
Web Application Security Consortium (WASC) Member
Author: Preventing Web Attacks with Apache
--------------
Web Security Threat Report Webinar on May 9, 2007 (12 pm EST)
Learn More About the Breach Webinar Series:
http://www.breach.com/webinars.asp
--------------
From: mod-security-users-bounces <at> lists.sourceforge.net [mailto:mod-security-users-bounces <at> lists.sourceforge.net] On Behalf Of Miles Crawford
Sent: Friday, March 30, 2007 5:52 PM
To: mod-security-users <at> lists.sourceforge.net
Subject: [mod-security-users] httpd-guardian errors not in error_log?
Hey folks, I'm playing with using mod_security and httpd-guardian to protect against scripting and automation.
httpd-guardian is configured like:
SecGuardianLog "|/usr/local/bin/httpd-guardian"
I think I'm off to a great start, the alerts are being triggered and so forth, but I get no httpd-guardian messages in the apache error_log.
Added the line:
open STDERR, ">>/tmp/hg_log";
at the top of the httpd-guardian script, and the messages all show up just fine in hg_log. I was hoping to have them show alongside the rest of the Apache error_log, and that seems to be what the documentation suggests will happen. Any advice?
I'm using:
ModSecurity for Apache 2.1.0
Apache/2.2.4 (Unix) mod_ssl/2.2.4 OpenSSL/0.9.8b DAV/2 mod_apreq2-20051231/2.6.0 mod_perl/2.0.3 Perl/v5.8.8
Rev 1.6 of httpd-guardian from the sourceforge CVS site
Thanks, and let me know if I can provide any other info that might help.
-Miles
------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________ mod-security-users mailing list mod-security-users <at> lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/mod-security-users
>>
> [Ryan Barnett] Agreed, Brian is extremely skilled at bushwhacking
> through the Apache source code jungle :)
Heh. Basically, Apache did not have a handler configured to handle the
request, so it used the default handler (file lookup) and the files was
not there, so it issued the 404 and terminated the request and did not
pass it on to the other modules (including mod_security).
The above ErrorDocument works fine if you want to hard-code the
servername in (I don't like that, personally). If you don't then you
can do something like this:
# Make a request for /_redirect/portal.html
ErrorDocument 404 /_redirect/portal.html
# Redirect your IP range to the real page
RewriteCond %{REMOTE_ADDR} "^192\.168\.0\.2([0][0-9]|10)$"
RewriteRule ^/_redirect(/.*) $1 [R,L]
Now, if you don't need to redirect the browser, you can just serve the
/portal.html page as any page that would have normally generated a 404:
ErrorDocument 404 /portal.html
In this case, the page:
RSS Feed